PHP Server Side Scripting Forum

I'm pitching to write an (web based) application which will be used by banks. The app is simple enough and I will be writing in OO PHP 5. Given that the script and server security will be as good as I can make it, does anyone think that the use of PHP will be seen as *inherently* untrustworthy or insecure by banking organisations?

I know larger institutions traditionally prefer Java or some form of CGI but I'd like to know peoples' opinions - do they think attitudes to PHP are different now?

I'm not a code expert that knows hard core coding and few languages, but these days PHP is the most preferred script to develop web applications. I could see some .Net applications migrating to PHP. Ex. FaceBook AFAIK is one of the bigger web apps that uses PHP. Orkut was using .Net and was not that much appealing as FB.

PHP is popular, IMO, mostly because almost anyone can do it, at least, perform basic functions as you learn. You don't need to understand or set execution permissions to run it, ordinary html can be included in it, and most of the functions that require moderate programming experience are coded right into the language as existing functions.

But the adage "a little bit of knowledge is dangerous" exists in PHP exponentially. The inline ability of PHP allows the inexperienced to create tangled spaghetti code; there are millions of PHP apps being deployed live without a single line of code to insure security; many of the scripts/site's I've reviewed clearly display a set of inexperienced hands in terms of convoluted logic and duct - taped inefficient solutions.

The question, however, really can't be answered with anything but a "yes." PHP has had security flaws and are easily exposed by a PCI compliance scan, but have been patched. I'm sure more will arise with time, but so it is with any language. You don't get this with Perl as much because, well, it's all old news. :-P

The trust issues with PHP are with who's writing it, and how well it's coded.

I know larger institutions traditionally prefer . . .

Banks, in particular, are more likely to tend toward a Windows-based solution, like .net or .asp, for one good reason that I can think of. Many of their most secure stuff is likely to be on internal servers, and their applications are likely to be written for Windows-based machines, and any public servers will likely have to integrate with these. So if a bank doesn't "trust" PHP, it's most likely because it won't integrate as easily what internal systems. Which is not really an issue of trust.